Evaluation of transaction authentication methods for online banking

摘要

AbstractAuthentication is a major research topic in the information security field. Much has been written about assessing entity (user) authentication methods, but there is a lack of literature concerning the evaluation of financial transaction authentication in online banking. Entity authentication methods have been systematized by quantifying their qualitative aspects, but there is no evaluation mechanism which also places the additional characteristics of transaction authentication in a user-centric context. Based on an existing mechanism which quantifies accessibility, memorability, security and vulnerability characteristics in entity authentication methods, we propose feasibility as an additional dimension which quantifies aspects related to the secure usability of transaction authentication methods. We also propose the use of this evaluation mechanism by multiple raters to reduce personal bias. Four implemented and eight proposed authentication methods for online banking were evaluated by seven experts. The results indicate that the mechanism can be applied on a wide range of authentication methods, since it is able to evaluate methods based on different information schemes. However, care must be taken that evaluations are performed by multiple experts, due to the amount of subjectivity inherent in the mechanism and in the different opinions of the raters.Highlights•We introduced a qualitative evaluation mechanism for online banking authentication.•Seven raters examine 12 online banking authentication methods with our mechanism.•Bank-issued authentication devices overall have a qualitative very good fit.•Most user-owned devices fit poorly compared to bank-issued devices.